Malware Analysis Report

2024-10-10 10:12

Sample ID 230724-sl2g1sfb9w
Target Venom5-HVNC-Rat.rar
SHA256 9e3cde7a6f4c114daf5627a39a5999918f894489c922d82008cb21771f761d45
Tags
agilenet rat %group% asyncrat arrowrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e3cde7a6f4c114daf5627a39a5999918f894489c922d82008cb21771f761d45

Threat Level: Known bad

The file Venom5-HVNC-Rat.rar was found to be: Known bad.

Malicious Activity Summary

agilenet rat %group% asyncrat arrowrat

Async RAT payload

Asyncrat family

Arrowrat family

Downloads MZ/PE file

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Checks processor information in registry

NTFS ADS

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-24 15:13

Signatures

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win10v2004-20230703-en

Max time kernel

1336s

Max time network

1164s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.rar

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-622.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\winrar-x64-622.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
N/A N/A C:\Users\Admin\Downloads\winrar-x64-622.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3692 wrote to memory of 632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 2824 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 1544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 1544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 632 wrote to memory of 1544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.0.702205284\1627350758" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a7af5d8-3083-4000-949d-ceddce632739} 632 "\\.\pipe\gecko-crash-server-pipe.632" 1964 217fc9d7e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.1.796314485\928441741" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4d16ddc-7d59-4474-8464-20ba99760638} 632 "\\.\pipe\gecko-crash-server-pipe.632" 2364 217eff70758 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.2.92558939\183765849" -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3136 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0805fcd3-055f-4b2d-887c-cc678d13c32a} 632 "\\.\pipe\gecko-crash-server-pipe.632" 2880 217822b6b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.3.1704918279\1324480748" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a18836e-0eef-4ea3-9b22-998fea712193} 632 "\\.\pipe\gecko-crash-server-pipe.632" 3580 217830ee058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.4.1552367329\440832949" -childID 3 -isForBrowser -prefsHandle 4608 -prefMapHandle 4604 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc4d2344-238a-47ec-82cd-cd9e2aad79e3} 632 "\\.\pipe\gecko-crash-server-pipe.632" 4620 21783fbf158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.7.1117865421\506756882" -childID 6 -isForBrowser -prefsHandle 5040 -prefMapHandle 5140 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf4dabda-2c77-494e-ba6d-d2391d5ccc93} 632 "\\.\pipe\gecko-crash-server-pipe.632" 5008 2178582ca58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.6.564232606\2048252047" -childID 5 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c79e3f21-6171-4a25-8273-91b9186c606a} 632 "\\.\pipe\gecko-crash-server-pipe.632" 5428 2178582c458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.5.2015809654\556257803" -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5312 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a28474a5-c0fb-4e90-87c8-5d831b9d3de2} 632 "\\.\pipe\gecko-crash-server-pipe.632" 5028 21784b40058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.8.50306029\827203966" -childID 7 -isForBrowser -prefsHandle 5872 -prefMapHandle 5884 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf88a4cc-57c4-44ea-b636-45903b685278} 632 "\\.\pipe\gecko-crash-server-pipe.632" 5800 2178638a558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.9.389482194\408567147" -childID 8 -isForBrowser -prefsHandle 4644 -prefMapHandle 5324 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e08632cc-6f58-447b-87ba-e8f113d899ab} 632 "\\.\pipe\gecko-crash-server-pipe.632" 5820 21786a4da58 tab

C:\Users\Admin\Downloads\winrar-x64-622.exe

"C:\Users\Admin\Downloads\winrar-x64-622.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RepairLimit.csv"

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\33f3c6673ba34f858207848c8e55e0ec /t 3968 /p 2496

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\winrar-x64-622.exe

"C:\Users\Admin\Downloads\winrar-x64-622.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 23.73.0.140:443 assets.msn.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 140.0.73.23.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.210.17.96:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.65.55:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 96.17.210.34.in-addr.arpa udp
N/A 127.0.0.1:50803 tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 plus.l.google.com udp
US 8.8.8.8:53 plus.l.google.com udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.162:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.162:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.win-rar.com udp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 www.win-rar.com udp
US 8.8.8.8:53 www.win-rar.com udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 2.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.68.195.51.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
N/A 127.0.0.1:50809 tcp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\suuk1m1w.default-release\activity-stream.discovery_stream.json.tmp

MD5 949d3e9072b895083096a9b308aba31e
SHA1 c07a9f80fbf87b305dbcdf5365d632983e704920
SHA256 18e2bf8bf6c05fdf61ed6f9d8fc47d8c1c46e6de9aa22fafc1df306467c52a29
SHA512 d0db2a9b1d6c1de4537400afea5bf4dc7e514365a427d41be683de5c95b5b6c377b02ca585c863fb26a31453a309bf0041ff228df45b719da8af5f8e41a47500

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js

MD5 d0cb7ca5945667795341501480608de1
SHA1 858e28dff9632f6cbee0b3a3be3c6ae94b5854da
SHA256 96d6687d5042857f5ec4088e3986f5d1e8592224aef9e2cc6d061b64b1f81719
SHA512 ee38fca801cc68441cc938fb8d1b9f542ce0766784dd5714f2b50a2029678688d2cbe0b18c73584e2fffbc6ca1a6a121a3968ef05dac75e363f195aec725a901

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

MD5 166b0d398a0ef44fad4447ada8f1e164
SHA1 8c1a648bbbe67c4d9fd1dfa5dc7430d369da745e
SHA256 c1840bd14b07688049000507d470e3f2d5ddfcb73aad93c692713540dbfdb07a
SHA512 f42be0e84680408ac88c7721c050b1dfe23374c2ca16751194bbd97aa0d06eec7ce7197dbe8c2a7705fc134ba7e820adddcda8922ea61ff01fe532cbeffdf9e8

C:\Users\Admin\Downloads\winrar-x64-622.iYQB1lLN.exe.part

MD5 ae6c4b17db4068af4e2fcde84a1ef043
SHA1 397023b7f5cb7899ecb6eab3ca1f74c607d84b93
SHA256 caa18f2b98e8af2bc16cddf0ff06651e29a2005a3f9ed58097834d92eb3a477b
SHA512 3cf7f6b09ce6cdd9ab7580b1219ab14bdd0cff4af70de297fc57556059f1168a3ea8319662794f566390711ded5061e25ffa4e980518bed86f11d33b308abb51

C:\Users\Admin\Downloads\winrar-x64-622.exe

MD5 8a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1 e0c4e5f7e08207319637c963c439e60735939dec
SHA256 e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA512 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

C:\Users\Admin\Downloads\winrar-x64-622.exe

MD5 8a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1 e0c4e5f7e08207319637c963c439e60735939dec
SHA256 e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA512 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js

MD5 0bbaf059080289f29695a86a8e41b412
SHA1 f8b400a0fc531f65bf20fa1122ca02915c923a47
SHA256 479d8282c581d58453dcae7a3ae30538c92a689841991e8ca6a14b2df733769b
SHA512 5a9bcd04803bf88cc7b3079a1384be37c552c9063b96f01395a428ef4342b015686f0a07115652edc7e3bd6c0203a5e6e5acf97362c896520b4934524227211b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore.jsonlz4

MD5 9287788e87f4eb2662f506e8e1718a09
SHA1 599ace3271ff6ce73b65a0a30f65b6c8fc088c59
SHA256 60146436caee395c4bbc49796b28cc0896279c31f33ed95111e6403256b17bcc
SHA512 ee31a432b8c4cae00c0d20a23344aea9fe7bce4c17c7bf0d611ace8f008547fc30ca7b292c9724f6d5f5c3c5e6a2c22dc570fb2bf9ebacb221ad4c76142bb0c8

memory/4580-419-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-420-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-422-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-423-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-424-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-425-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-426-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-421-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-427-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-428-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-429-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-430-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-431-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-432-0x00007FF9A7B20000-0x00007FF9A7B30000-memory.dmp

memory/4580-433-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-434-0x00007FF9A7B20000-0x00007FF9A7B30000-memory.dmp

memory/4580-435-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 cc37c8a0932f72c0ebd005853f99d37b
SHA1 bcbdbb189a4fec14b038a75c59a1a5f8c575ad5d
SHA256 918700b63a90b983fa886a3230c49d16ef109a8abe6fc239840acdaf8c102398
SHA512 70c5d3006ce41f2d451cef79f9a6a940f42a4299bd41af31e50cef8bc1729a611389ec80ace79f0e4f502e18d641d36f055cb6ee3c4d46e442f87d7ed25537af

memory/4580-461-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-463-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

memory/4580-464-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-462-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-465-0x00007FF9AA350000-0x00007FF9AA360000-memory.dmp

memory/4580-466-0x00007FF9EA2D0000-0x00007FF9EA4C5000-memory.dmp

C:\Users\Admin\Downloads\winrar-x64-622.exe

MD5 8a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1 e0c4e5f7e08207319637c963c439e60735939dec
SHA256 e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA512 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Analysis: behavioral3

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1567s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\FrmReverseProxy.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\FrmReverseProxy.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\FrmReverseProxy.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\FrmReverseProxy.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a860e6568f236920c7bc2907b4b7fd0e
SHA1 d27c4ab6dbd6599cd0aafcdb0d0d28031b07b793
SHA256 5a06614cc643b1a8018d91310af07a3eb1886f898d2f9337c03d5377eacb823c
SHA512 e311167e991db7b646d57e784bb338e05a316c4ba3bc8a9f0a668915997b3457a318b5d2c61936a25388272e55052b0a3277c0d32b6fdea11ab5856a24c764b2

Analysis: behavioral19

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:10

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1564s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Quasar.Server.Forms.FrmReverseProxy.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Quasar.Server.Forms.FrmReverseProxy.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Quasar.Server.Forms.FrmReverseProxy.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Quasar.Server.Forms.FrmReverseProxy.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 47c3687ce8ea7a48552e53f3e451f9c3
SHA1 3f30b670f8290ade782fb8c22ef7068b5cd61ff2
SHA256 e011cbc75211bc369cb874fd670ae55dece7bef768f03b1cd5f2a492bea8fa7e
SHA512 c4b7aea7b50c0ca068afcf605ee1a142e9ce384076a54d527d3062aaaa6f27e82a15a7fdd86efe78d47251449812c31986f8fa1bed8a8e51bc03350c65d4311c

Analysis: behavioral23

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:11

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1568s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.FormSendFileToMemory.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.FormSendFileToMemory.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.FormSendFileToMemory.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.FormSendFileToMemory.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c690ebfa6bf4ec70936206eedab63d32
SHA1 75b15f54c736e75eb48c6d8d630cadf0a6eb41d9
SHA256 e989158a1048868f70d8b9ca7166eda7c18ac08a4d270a408abf7a7788061da7
SHA512 0a29629c33864cb373b2203c960c544996a157413661546ca4295794877463a57c99c64e4dd7e0adf1e2387068dca9efd286267b1428fe9320e42c0e8910d8e9

Analysis: behavioral10

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win10v2004-20230703-en

Max time kernel

1369s

Max time network

1162s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmBuilder.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmBuilder.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 204.229.80.104.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.129.241.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:10

Platform

win10v2004-20230703-en

Max time kernel

694s

Max time network

1154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmURL.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmURL.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.151.241.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:11

Platform

win10v2004-20230703-en

Max time kernel

1372s

Max time network

1158s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Form1.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Form1.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:15

Platform

win10v2004-20230703-en

Max time kernel

825s

Max time network

1166s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAudio.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAudio.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.209.247.8.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:15

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1575s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormCertificate.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormCertificate.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormCertificate.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormCertificate.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b4acb3879e42063dfa6a3031f76ece38
SHA1 42ffa8298ed58ea8a962d9743be0ad5829b1d959
SHA256 a48952b7bbe09ab1d43f64489c5f5a65d8ddfa638ef59607eb1009a0a77b8345
SHA512 78d7fc698c6eaba8b76059d71c211ac830b10d7be20d27a6a07c28418c8304522200b9694df601ce1544a63233303d9be86c5759f46a8af7287936f31e0c6424

Analysis: behavioral15

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:54

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1574s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmTransfer.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmTransfer.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmTransfer.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmTransfer.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f2f48f8dd487ba7e743cd856f13c8f60
SHA1 8ca1fc07afa0f52c2c5faf49be7197f6189335df
SHA256 1c8542d1cbd9ad39ced173a09607fcac3c9676e22efc4ffe55d4f66cb6873582
SHA512 706c1e94a9f0a38acbee8f8886b1f8fd6f0c8f8aa4821dde741dbdbb42b64046094da76308517b73343483f9474d2289c0b4be9d5b935bd3755c2f5658b712db

Analysis: behavioral24

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:11

Platform

win10v2004-20230703-en

Max time kernel

1142s

Max time network

1150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.FormSendFileToMemory.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.FormSendFileToMemory.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win7-20230712-en

Max time kernel

1563s

Max time network

1574s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMain.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMain.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMain.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMain.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 791aca372084c18a3aa62015c936019f
SHA1 6ef8ccdd995b4c98bb7800f17170879a75ab91b8
SHA256 2d2c6043151c9a90ff386f4886d5dd80f89a0c1c2af4b9a493837816ebea5f43
SHA512 1066e24f1b66f3f6ab6bcf611b67f09094e40e2ab8bd6b9286bcc1df8be9c84b03399301addb92acbcc391922920453ab82de863f78082d042bfc682b2df66b5

Analysis: behavioral20

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:11

Platform

win10v2004-20230703-en

Max time kernel

673s

Max time network

1139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Quasar.Server.Forms.FrmReverseProxy.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Quasar.Server.Forms.FrmReverseProxy.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:15

Platform

win10v2004-20230703-en

Max time kernel

1709s

Max time network

1170s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormBuilder.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormBuilder.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.165.241.8.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:50

Platform

win10v2004-20230703-en

Max time kernel

706s

Max time network

1163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMassUpdate.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMassUpdate.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:10

Platform

win10v2004-20230703-en

Max time kernel

1766s

Max time network

1146s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmTransfer.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmTransfer.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.151.241.8.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 204.121.126.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.81.142.11:80 www.microsoft.com tcp
NL 104.81.142.11:80 www.microsoft.com tcp
US 8.8.8.8:53 11.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:11

Platform

win7-20230712-en

Max time kernel

1803s

Max time network

1569s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Form1.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Form1.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Form1.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Form1.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 081c7ad0d4f4674950af5a44dcba66da
SHA1 607be2202780c09f39c71c75aa7efede47be08de
SHA256 a2d8287fbf915c7de049cfcc4625c03288a3246a72482e829fb2cd2022649896
SHA512 2f482b5a221fc47834f82466f8af506f89bb930238974e65763df92af7fd706fb4620e97683472293a38ad51862848d8c86d74f3908bef3f8b8fa6ef86006bed

Analysis: behavioral27

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:12

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1574s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAudio.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAudio.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAudio.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAudio.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5b6513da4408422db213a764fa4c07b4
SHA1 6b74a102be308c37a6e4a3e0176bc09b84a6d775
SHA256 1bc4038cb79b120359079f8ede9a6f56f5decc41eed3432f3b9d4f7958b5092c
SHA512 5da711b5c6a9e61f444659ee0f910c04793518aa84341fae81be0e0896c50e0900077e4cdb9834b53042679b6c60269d4865234134e3667ab33965b37275504c

Analysis: behavioral32

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:15

Platform

win10v2004-20230703-en

Max time kernel

810s

Max time network

1150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormCertificate.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormCertificate.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.209.247.8.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win7-20230712-en

Max time kernel

1757s

Max time network

1597s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2592 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2592 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2904 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2904 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2904 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.rar"

Network

N/A

Files

memory/2900-82-0x000000013FFC0000-0x00000001400B8000-memory.dmp

memory/2900-83-0x000007FEFADC0000-0x000007FEFADF4000-memory.dmp

memory/2900-84-0x000007FEF5C90000-0x000007FEF5F44000-memory.dmp

memory/2900-85-0x000007FEF7ED0000-0x000007FEF7EE8000-memory.dmp

memory/2900-86-0x000007FEF7EB0000-0x000007FEF7EC7000-memory.dmp

memory/2900-87-0x000007FEF6C80000-0x000007FEF6C91000-memory.dmp

memory/2900-88-0x000007FEF6C20000-0x000007FEF6C37000-memory.dmp

memory/2900-89-0x000007FEF6490000-0x000007FEF64A1000-memory.dmp

memory/2900-90-0x000007FEF6470000-0x000007FEF648D000-memory.dmp

memory/2900-91-0x000007FEF6450000-0x000007FEF6461000-memory.dmp

memory/2900-92-0x000007FEF3FD0000-0x000007FEF507B000-memory.dmp

memory/2900-93-0x000007FEF3C90000-0x000007FEF3E90000-memory.dmp

memory/2900-94-0x000007FEF62F0000-0x000007FEF632F000-memory.dmp

memory/2900-95-0x000007FEF62C0000-0x000007FEF62E1000-memory.dmp

memory/2900-96-0x000007FEF3C00000-0x000007FEF3C18000-memory.dmp

memory/2900-97-0x000007FEF3BE0000-0x000007FEF3BF1000-memory.dmp

memory/2900-98-0x000007FEF3BC0000-0x000007FEF3BD1000-memory.dmp

memory/2900-99-0x000007FEF3BA0000-0x000007FEF3BB1000-memory.dmp

memory/2900-100-0x000007FEF3B80000-0x000007FEF3B9B000-memory.dmp

memory/2900-101-0x000007FEF3B60000-0x000007FEF3B71000-memory.dmp

memory/2900-102-0x000007FEF3B40000-0x000007FEF3B58000-memory.dmp

memory/2900-103-0x000007FEF3B10000-0x000007FEF3B40000-memory.dmp

memory/2900-104-0x000007FEF3AA0000-0x000007FEF3B07000-memory.dmp

memory/2900-105-0x000007FEF3A30000-0x000007FEF3A9F000-memory.dmp

memory/2900-106-0x000007FEF3A10000-0x000007FEF3A21000-memory.dmp

memory/2900-107-0x000007FEF39B0000-0x000007FEF3A06000-memory.dmp

memory/2900-108-0x000007FEF3980000-0x000007FEF39A8000-memory.dmp

memory/2900-109-0x000007FEF3950000-0x000007FEF3974000-memory.dmp

memory/2900-112-0x000007FEF38E0000-0x000007FEF38F1000-memory.dmp

memory/2900-111-0x000007FEF3900000-0x000007FEF3923000-memory.dmp

memory/2900-110-0x000007FEF3930000-0x000007FEF3947000-memory.dmp

memory/2900-113-0x000007FEF38C0000-0x000007FEF38D2000-memory.dmp

memory/2900-114-0x000007FEF3890000-0x000007FEF38B1000-memory.dmp

memory/2900-115-0x000007FEF3870000-0x000007FEF3883000-memory.dmp

memory/2900-116-0x000007FEF3850000-0x000007FEF3862000-memory.dmp

memory/2900-117-0x000007FEF3710000-0x000007FEF384B000-memory.dmp

memory/2900-118-0x000007FEF36E0000-0x000007FEF370C000-memory.dmp

memory/2900-119-0x000007FEF3520000-0x000007FEF36D2000-memory.dmp

memory/2900-121-0x000007FEF34A0000-0x000007FEF34B1000-memory.dmp

memory/2900-120-0x000007FEF34C0000-0x000007FEF351C000-memory.dmp

memory/2900-122-0x000007FEF3400000-0x000007FEF3497000-memory.dmp

memory/2900-123-0x000007FEF33E0000-0x000007FEF33F2000-memory.dmp

memory/2900-124-0x000007FEF31A0000-0x000007FEF33D1000-memory.dmp

memory/2900-125-0x000007FEF3080000-0x000007FEF3192000-memory.dmp

memory/2900-126-0x000007FEF3040000-0x000007FEF3075000-memory.dmp

memory/2900-127-0x000007FEF3010000-0x000007FEF3035000-memory.dmp

memory/2900-128-0x000007FEF2FF0000-0x000007FEF3001000-memory.dmp

memory/2900-129-0x000007FEF2F80000-0x000007FEF2FE1000-memory.dmp

memory/2900-130-0x000007FEF2F60000-0x000007FEF2F71000-memory.dmp

memory/2900-131-0x000007FEF2F40000-0x000007FEF2F52000-memory.dmp

memory/2900-132-0x000007FEF2F20000-0x000007FEF2F33000-memory.dmp

memory/2900-133-0x000007FEF2E80000-0x000007FEF2F1F000-memory.dmp

memory/2900-134-0x000007FEF2E60000-0x000007FEF2E71000-memory.dmp

memory/2900-135-0x000007FEF2D50000-0x000007FEF2E52000-memory.dmp

memory/2900-136-0x000007FEF2D30000-0x000007FEF2D41000-memory.dmp

memory/2900-137-0x000007FEF2D10000-0x000007FEF2D21000-memory.dmp

memory/2900-138-0x000007FEF2CF0000-0x000007FEF2D01000-memory.dmp

memory/2900-139-0x000007FEF2CD0000-0x000007FEF2CE2000-memory.dmp

memory/2900-140-0x000007FEF2CB0000-0x000007FEF2CC8000-memory.dmp

memory/2900-141-0x000007FEF2C90000-0x000007FEF2CA6000-memory.dmp

memory/2900-143-0x000007FEF2C40000-0x000007FEF2C52000-memory.dmp

memory/2900-142-0x000007FEF2C60000-0x000007FEF2C89000-memory.dmp

memory/2900-144-0x000007FEF2C20000-0x000007FEF2C31000-memory.dmp

memory/2900-145-0x000007FEF2C00000-0x000007FEF2C11000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win10v2004-20230703-en

Max time kernel

1685s

Max time network

1171s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\ReverseProxyHandler.cs

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\ReverseProxyHandler.cs

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 204.229.80.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:46

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1570s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMassUpdate.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMassUpdate.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMassUpdate.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMassUpdate.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5311d2ed216a7ae5f1ad86cbce8fafbf
SHA1 c4fede6e4192c285e78d7c8fbe5e4f25bf812c19
SHA256 63a79aeabe35b0cfc51192490307e25a5053e258c1881112fd70792018339c02
SHA512 68fd2cdca711f1832f679a07a89ae53f58bd1e14cc7834bcb856230d81aa4eb2d1053f671bd88456572ad72d92f2b2e9b2fdf7f3a19240fa09c5e1b1512d6af2

Analysis: behavioral8

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win10v2004-20230703-en

Max time kernel

1726s

Max time network

1169s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Helper.cs

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Helper.cs

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 204.229.80.104.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win10v2004-20230703-en

Max time kernel

1745s

Max time network

1129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMain.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmMain.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 204.229.80.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 126.154.241.8.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:10

Platform

win7-20230712-en

Max time kernel

1803s

Max time network

1571s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmURL.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmURL.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmURL.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmURL.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 bcaa394b2cf9e0c73c0d97c4f86b4f0e
SHA1 ca7e4ab236668e774738ececd7efc5252afd28e0
SHA256 4d3a80ccf4930f8cf5f2a5dcbaffb68d7494236d0fd96e2824f986fe269d8cf0
SHA512 cd60ccb7387d35ee2ca4abf7a2b225ef50adba377d28398f318c01d21ec9b2007cfb27e78862e7a155b7574e3af7559416571b4d4534aa0382e34bfe8603e13e

Analysis: behavioral4

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win10v2004-20230703-en

Max time kernel

823s

Max time network

1162s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\FrmReverseProxy.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\FrmReverseProxy.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:11

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1569s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAbout.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAbout.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAbout.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAbout.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b615d98ca81904f39dc49eef0ef67e07
SHA1 9ba26502aeaac9a2d5a1de643625534c21fdce17
SHA256 cfabc7e1a40c3ce6eb3db5592ce6b8d77f94c3fcbcc64c913684a16ac2b50f82
SHA512 e909db79f24b345f89be0ed50987fe25dfa7ca19ace362a8a48bd8f293d9955874c9458cb2b2ef6e3dca078d9c5b22d87e63fcf5bb6fe2c1e9d5527357501cee

Analysis: behavioral26

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:11

Platform

win10v2004-20230703-en

Max time kernel

1711s

Max time network

1173s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAbout.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormAbout.resources

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 204.45.123.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.138.241.8.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 16:15

Platform

win7-20230712-en

Max time kernel

1801s

Max time network

1569s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormBuilder.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormBuilder.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormBuilder.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\Server.Forms.FormBuilder.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 06d93b9a8bd078e3a6d47ef66631bede
SHA1 8f3667c6f7632b85c99c63b39f1ac5352d3ee691
SHA256 853631eed75cc079fec06b663238fcce83b6ff9b53198f34f1dee5bf28e39f47
SHA512 1ca70a84884f3bb1b792d73f9d9aece7698d0802ce3cc3f222a0fc5a7eb37c93499c123c13043328349d47384a4b36fba8e5f522ae9504f8abf8c2d1d8d4f75a

Analysis: behavioral5

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win7-20230712-en

Max time kernel

1803s

Max time network

1567s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\ReverseProxyHandler.cs

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\ReverseProxyHandler.cs

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Forms\ReverseProxyHandler.cs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2eecb3f8a672141a769b8f134a2606bc
SHA1 8c09976b0f351138fb18947947a43e7a0636cd18
SHA256 ca8e8423203af300dd538cfb99a8687bd046887f167c6510534bef6b2af019bd
SHA512 467df85d0f01b1c68eb9df448d7e8ffe1e4b94f61e11cae762ebf857939a62638af8d5ac2c06a4fe672826ecf483705ae7ad50bddb9889d6a887991b13499115

Analysis: behavioral7

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win7-20230712-en

Max time kernel

1801s

Max time network

1569s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Helper.cs

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Helper.cs

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Quasar\Server\Helper.cs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 256840d9ed12b98ffe22076a0b86526f
SHA1 137e74b495917104cbdc8bbc914ba764b9520c2e
SHA256 4bac8c7ed831d33063d6b0dcd08c171e7cb6d2535720d036868e6174ff0e2490
SHA512 3338e22aa4fffdff23aa3668635ab9a3964ab2c7910e08458609aa383ebffefd7d4e40a803dce0b1cabf36bdf046ca1e7eb7c347230491b86ce2407f4ebc9930

Analysis: behavioral9

Detonation Overview

Submitted

2023-07-24 15:13

Reported

2023-07-24 15:44

Platform

win7-20230712-en

Max time kernel

1802s

Max time network

1570s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmBuilder.resources

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.resources C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.resources\ = "resources_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\resources_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmBuilder.resources

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmBuilder.resources

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat\VenomRAT_HVNC\Resources\HVNC.FrmBuilder.resources"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a3e92b35687fcdc83eb58bab2952ef5a
SHA1 2dc21f00d6defbca3c0d2b2795e4108f4205c8f9
SHA256 6800db6e6a065b1cd912f00e09144a78012346acca5c5156bad5c380c9da2166
SHA512 4adeaedf5304191d7a4f6636fe059682645decdf213ee8ffadd2625da35dd998eb3ae52f44ffe159a6f819dc087280a05799ad5c8797a8076629d08153285e7e